Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
New employee in charge of ISO 9001 transition
1) Is that a person who assist them to get ISO 9001:2015 should know how the company person their sales and purchasing activity, can a newly joined member execute that ?
2) Products and services with no feedback from the customer etc these documents are must for ISO 9001:2015 or you need to include ISO 9001:2008 along with that 2015 documents are made
3) Rather than documentation like in ISO 9001:2008, in 2015 they said documented information, is that any existing information is enough or how does your tool kit will make it easy, can you list the advantages.
Answer:
1) When formulating procedure for sales or any other process you must consult the person responsible or even better, assist them in making the procedure by themselves. In this way you will avoid missing something out and the procedure will be accurate and therefore followe d within the process. This is the best practice for any process, not only the sales, with greater involvement of all relevant personnel in the company, you will implement the standard more easily and effectively.
2) You do not have to make any significant changes in the procedure for measuring customer satisfaction if the existing procedure is compliant with new version of the standard. But if you choose to create new procedure and new record, they are the only documents to be used and the documents according to ISO 9001:2008 should be withdrawn.
3) Documented information is a new term that comprises both documents and records. There is no real change compared to the previous version except the terminology and to some extent extended requirements for document and record control. Existing documentation can be enough if it complies with requirements of new version of the standard.
Our documentation toolkits are fully compliant with the standard and they comprise best practices and experiences with the standard requirements. They are easy to use with an average of 20 comments per document that explain how they should be filled in. Also, together with the toolkit you will get an access to video tutorials and have online meeting with an expert that will help you in implementation of ISO 9001:2015 -
Gaining competence for ISO 9001:2015
Answer:
There is no formal requirement for internal auditors to attend internal auditor training or get any certificate. They only need to be familiar with the requirements of the standard in order to be able to perform the audit. This can be achieved through courses or awareness sessions or seminars or even independently if they have previous knowledge of ISO 9001:2008.
Having the certificate, or any other testimonial of competence would just make it easier for the auditor to prove that he or she is capable of conducting the audit. I can recommend you our free ISO 9001:2015 online courses:
- ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
ISO 27001 and personal data protection
Answer:
Personal data protection regulations are slightly different in various countries, however generally speaking ISO 27001 covers ca 90% of those requirements.
We are currently working on an article about the relationship between ISO 27001 and EU GDPR - it will be published on our ISO 27001 blog https://advisera.com/27001academy/blog/ in couple of weeks - you can subscribe to the Newsletter and you will be notified automatically.
By the way, standard ISO 27018 is focused on personal data protection in the cloud - this article explains the details: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Nonconformity and CA
Yes, but new version of the standard does not require documented procedures for control of nonconformities or corrective actions. That is the reason why we decided to merge those two procedures into one to decrease number of documents and yet to provide more efficient way to address requirements regarding nonconformity and corrective actions.
Procedures can be merged into one or separated, it mostly depends on the needs of the company. If you are more conformable with having two separate procedures, you can divide the Procedure for Management of Nonconformities CA into two procedures. -
Whatsapp Privacy policy
Answer:
The privacy policy of Whatsapp (by the way, Whatsapp was bought by Facebook at 2014), is about personal data, which is a part of information security, but really information security covers much more (software development, business continuity, communications security, etc.).
And from my point of view, this privacy policy is similar to other companies, for example Google: they can use your personal data (name, mobile number, address, etc.) to know you better and to offer you specific services.
So, if you accept this privacy policy, the information that you have in Whatsapp can be shared to Facebook, which means that you will receive specific services (based in your interests), although you have an option in Whatsapp to no accept this policy, which means that you won’t receive specific services.
Anyway, if you are an active user in Facebook, probably th ey have many information about you, because they can know your “Likes”, “Loves”, etc., your groups of interest, etc.
My recommendation: take care with your personal data, protect it, and don’t share it with people that you don’t know.
By the way, there is an ISO standard related to personal data, and maybe can be interesting for you “ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
And this article about information security controls for cloud services (everything, including your personal data is in the cloud), can be also interesting for you “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, these materials will help you to know more about the information security:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Application Management
Answer:
Application Management function is your "place" where the expertise regarding application you use is "located". This means that such function will have your best application experts on disposal. What's the use? In incident resolution, root cause analysis (Problem Management process), change evaluation/assessment and planning...etc. So, whenever you need experts for applications in use (and, we use a lot of them throughout our working day) - you should know where to look for them.
Now, experts are expensive workforce. So, most probably, you'll not use them for incident troubleshooting (except when incident diagnosis is beyond your incident management staff) but for more complex tasks. Service Desk staff (as an example) is usually part of Incident Management process. Application experts are on some further level of support (e.g. 2nd or 3rd, depending how many people you have in IT Service Management).
Read t he articles to learn more:
"ITIL Application Management Function – Custodian of application knowledge" https://advisera.com/20000academy/blog/2014/09/09/itil-application-management-function-custodian-application-knowledge/
"ITIL application management within the service lifecycle" https://advisera.com/20000academy/blog/2014/03/18/itil-application-management-lifecycle-within-service-lifecycle/ -
Benefits of ISO 27001 for a Care company
Answer:
Basically you need to show to the CEO what are the benefits of the implementation of ISO 27001, which are mainly 4: compliance, marketing edge, lowering expenses and putting your business in order. This article can be interesting for you “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#benefits
Anyway, if your company is in a business of providing care to numerous people where confidentiality is important, then ISO 27001 can help you maintain all those information secret.
And our free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
Finally, these materials will help you to know more about the benefits of ISO 27001 and how to implement it:
- free online training ISO 27001 Foundatio ns Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Risk assessment methodology
Answer:
Basically if you want, you can develop your own methodology, and for this, you can use our recommendations, so this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
By the way, our methodology for the risk assessment & treatment is based on 6 basic steps, which you can see here “ISO 27001 risk assessment & treatment - 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Regarding the asset risk register, first you need to identify assets, and after identify risks related to these assets (according to previous articles). So, for the identification of assets thi s article can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Finally, these materials will help you to perform the risk assessment & treatment in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Impact of document control on the company
Answer:
Control of documents is crucial for effective functioning of management system and organization. Document control represents set of rules for identification, publishing withdrawal and protection of the documents. Without it, it is impossible to maintain the system, to ensure that the proper documents are at the place of use or even if the documents in use are approved by the responsible person.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Assessing risks for laptops as separate assets?
Answer: Yes - in this case you should use 3 different assets since they obviously have different vulnerabilities, threats, likelihood and impact. You should use one "asset class" only if all assets in that class have very similar vulnerabilities, threats, likelihood and impact.
By the way, this free online training explains the details about risk assessment: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/